Welcome to Consumer Reports Advocacy

For 85 years CR has worked for laws and policies that put consumers first. Learn more about CR’s work with policymakers, companies, and consumers to help build a fair and just marketplace at TrustCR.org

Stronger ID theft protections urged in wake of ChoicePoint Fraud

More than a dozen states are considering tougher safeguards for consumers.

Thursday, February 17, 2005

Gail Hillebrand, Consumers Union: 415-431-6747
Kerry Smith, National Assn. of PIRGs: 215-732-3747


11 States Consider Security Freeze Right For Consumers; Two Others
Consider Requiring Companies to Notify Customers About Security Breaches

SAN FRANCISCO, CA – Recent reports that a fraud ring has stolen the personal and financial information of an estimated 145,000 consumers from computer databases maintained by ChoicePoint, Inc., have underscored the need for tougher safeguards against identity theft. Consumer groups are urging lawmakers to enact new identity theft protections like giving consumers the right to lock up their credit files with a security freeze and requiring companies to notify consumers when sensitive customer information has been compromised.

Four states already have security freeze laws on the books and another 11 states are considering adopting the safeguard. California is the only state that requires companies to notify customers about breached security. Other states are beginning to look at such notification requirements.

“Consumers need the ability to prevent identity thieves from getting credit in their names,” said Gail Hillebrand, Senior Attorney for Consumers Union. “A security freeze lets consumers decide for themselves when potential new creditors get to see their credit file, which stops identity thieves in their tracks.”

A security freeze lets the consumer stop anyone from looking at his or her own credit reporting file for purposes of granting credit unless the consumer chooses to let that particular business look at the consumer’s information. When an imposter seeks credit in the consumer’s name, the creditor checks the credit reporting file. If the file is frozen, the creditor will deny the thief’s credit application. When the consumer is applying for credit, the consumer can lift the freeze so that a particular creditor can see the credit file. When the consumer is not seeking credit, the security freeze effectively prevents anyone else from getting credit in the consumer’s name.

California law enables consumers to put a security freeze on their credit reporting file at any time, even if they have not been victimized by identity theft. A similar security freeze right goes into effect in Louisiana in July 2005. Texas law allows consumers to put a security freeze on their credit files after they have filed a police report detailing that they have become victims of identity theft. Consumers in Vermont will have the same right starting in July 2005. Eleven states are currently considering security freeze legislation: Colorado, Connecticut, Hawaii, Illinois, Indiana, Maine, Maryland, Massachusetts, Oregon, Utah, and Washington. Lawmakers in Texas have introduced a bill to strengthen the state’s existing security freeze law to allow all consumers – not just identity theft victims – to take advantage of the safeguard.

“Identity theft is the fast growing form of fraud in the U.S. and ruins the credit of millions of Americans every year,” said Kerry Smith, Senior Consumer Attorney for the National Association of State PIRGs. “Consumers need the right to put a security freeze on their credit files so they can protect their financial privacy and prevent thieves from stealing their identities.”

News reports about the ChoicePoint fraud ring began to surface after the company notified an estimated 35,000 consumers in California that the security of their personal and financial information had been compromised. ChoicePoint was required to notify Californians about the security breach because of a state law that requires companies to inform consumers when the security of information held about them has been breached. No other state requires such notification. Lawmakers in Massachusetts and Illinois have introduced legislation to extend the notification requirement to consumers in their states and consumer groups are urging other states to follow suit. After news about the ChoicePoint scandal became public, the company announced that it would notify consumers in states outside of California.

“It shouldn’t be left up to a company that has had its security breached to decide which consumers to notify when sensitive information may have been compromised,” said Hillebrand. “Consumers across the country deserve the right to know when a company’s security has been breached,” said Hillebrand.

More information about state efforts to enact security freeze legislation is available on the Consumers Union website at: http://www.consumersunion.org/campaigns//learn_more/001833indiv.html